bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1

Analysis

max time kernel
7s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe
Size

2.0MB
MD5

d5bdd10d41558b2d4ed4f1c731e8e214
SHA1

ee926e7db0c9b46d5d12cf347d185fd423668b44
SHA256

bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1
SHA512

cd8de15dd62f5f8f7bc92bc25b9a37b8856acf10b6c2d373f593e01a8ddf1900e619263030fffe0d5a0162ed7785361170b466261d0e01d15472d054fa73dea8
SSDEEP

24576:h1OYdaOJaacvu7gXAfwlUlZov8Hk7IelYNJbMBhTlmWCv9oU+pHi00CScsPzMZpL:h1OsCqZBJgvzCg50qNLae

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	cQP2y1zbgFbROe4.exe

Loads dropped DLL 4 IoCs

pid	Process
1360	bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe
1784	cQP2y1zbgFbROe4.exe
1588	regsvr32.exe
1348	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfidflfndpjcafmjchklnbemaekiihk\2.0\manifest.json	cQP2y1zbgFbROe4.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfidflfndpjcafmjchklnbemaekiihk\2.0\manifest.json	cQP2y1zbgFbROe4.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfidflfndpjcafmjchklnbemaekiihk\2.0\manifest.json	cQP2y1zbgFbROe4.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	cQP2y1zbgFbROe4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	cQP2y1zbgFbROe4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	cQP2y1zbgFbROe4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	cQP2y1zbgFbROe4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	cQP2y1zbgFbROe4.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.tlb	cQP2y1zbgFbROe4.exe
File opened for modification	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.tlb	cQP2y1zbgFbROe4.exe
File created	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dat	cQP2y1zbgFbROe4.exe
File opened for modification	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dat	cQP2y1zbgFbROe4.exe
File created	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll	cQP2y1zbgFbROe4.exe
File opened for modification	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll	cQP2y1zbgFbROe4.exe
File created	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dll	cQP2y1zbgFbROe4.exe
File opened for modification	C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dll	cQP2y1zbgFbROe4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1784	1360	bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe	28
PID 1360 wrote to memory of 1784	1360	bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe	28
PID 1360 wrote to memory of 1784	1360	bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe	28
PID 1360 wrote to memory of 1784	1360	bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe	28
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1784 wrote to memory of 1588	1784	cQP2y1zbgFbROe4.exe	29
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30
PID 1588 wrote to memory of 1348	1588	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe
"C:\Users\Admin\AppData\Local\Temp\bc113a43a41c4192d3349182f26f4c804008f68ea27867c0cca3dcc61de208d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cQP2y1zbgFbROe4.exe
  .\cQP2y1zbgFbROe4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dat

Filesize
6KB

MD5
a164df8c4c263541d0c5fa23e86c53aa

SHA1
8636fa4319ad552fb8a253608d5b1f9ad13df14c

SHA256
0031782145b943affc23ceb6d11d4a66fd63ce31ce021dcd3fed679329937cfa

SHA512
b0aa0ba275184a77975af5861c9704ab77d2a73976fa5ea8c79447a0d2c4e6260d61d4b47b47887a9148d76ea47950270761509afe4b8866f7e215227ae3104c

Download Submit
C:\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
97b9c651528eb61b08d1ea33692dce50

SHA1
76a234b1bea77ca951b1bdfd045e51cb4780348c

SHA256
d0e9f7ff71198817dd2d846589561dc669ecbb519c27be9392aa210703347a94

SHA512
6366fa247fd25269bb102d2c07b6ef5297d3d2e5a75db5311ad58dda21ef3a2db859113cc3b2f11314c914ccbe6d5a0509f0e4999fac1b48d9b80774858858e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
45d8340c0bf8a2e621328c3ef3737687

SHA1
4aac9d422b6e38e6d3a740472d483cd0e536abe2

SHA256
bf9d2946c575cb1bbe06702e4f6bd5194bad668b8a85bf3f506060b645ac59b9

SHA512
e75b7994afc1893b0fa0fcf34050b0f4d60b6dfd97affe571050461a8e95e16430f822db8a51ac8077c0f104565e311e56063ba65ac97028b397421b980c5d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\[email protected]\install.rdf

Filesize
600B

MD5
2d7de1a187337609325c6c7b83a4125e

SHA1
b325821491dd728d0424331133388f2546d2376e

SHA256
8330ac75c2f47ef7cbdff554c1a9da3579809ed3d46568f691c097e261831234

SHA512
7064e58bee380afcc7ba1f5bc77baa9dbfc267c55b00f3e7e92fc2c245a2b3499197b04682a071473dd5ef94a50507afe6e5059bea95fc4d3d32cd34c3ff9b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cQP2y1zbgFbROe4.dat

Filesize
6KB

MD5
a164df8c4c263541d0c5fa23e86c53aa

SHA1
8636fa4319ad552fb8a253608d5b1f9ad13df14c

SHA256
0031782145b943affc23ceb6d11d4a66fd63ce31ce021dcd3fed679329937cfa

SHA512
b0aa0ba275184a77975af5861c9704ab77d2a73976fa5ea8c79447a0d2c4e6260d61d4b47b47887a9148d76ea47950270761509afe4b8866f7e215227ae3104c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cQP2y1zbgFbROe4.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cQP2y1zbgFbROe4.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cdfidflfndpjcafmjchklnbemaekiihk\WNDmRK1.js

Filesize
5KB

MD5
1dd5f2e8485db470b1c21638b7f143c7

SHA1
d6f1bbd01a652727f5d2ab75c3c6d50e1bbfdbbd

SHA256
6f5e224654a9c15891c629d1be1910e5b3e549ac2b198b309f9f08b3537509bb

SHA512
3adb4f60f71699c9a1e3826d2aa9f5c573bffc08f83edc81b6bb0488130cfc15b99cd5d6ee85988b67c98a02d70bbbfe3916a584e98ecab426e800e1cebeb51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cdfidflfndpjcafmjchklnbemaekiihk\background.html

Filesize
144B

MD5
74bf6f0a584b981c1b956e3de0ddab3d

SHA1
c2ae4dd978c7e6812a53c4bb089260a0647694e8

SHA256
1b1269e2abc19d7668e8d94e1a5324c64ddf7eff191a42992bb54977c9dfc80f

SHA512
38dc41a50df6407fd62ec3df35757de257c293b40759118ac6514450c674e9d0de032a6bd3b51518cd2861dcae914b94bef08c6e52130afbd3847a999bcd1392

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cdfidflfndpjcafmjchklnbemaekiihk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cdfidflfndpjcafmjchklnbemaekiihk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cdfidflfndpjcafmjchklnbemaekiihk\manifest.json

Filesize
500B

MD5
d6076ed28394f1e90cccfb41d4229679

SHA1
92151d46a8e1c80715b31b14febd2602ccd153c2

SHA256
538fe7d856df911b8ea6d15dd539fb5123439e05272cfe100f0ee765fbf7cf0d

SHA512
651dd4069738bad9b73a349c8576842c479117c1c9cab707567d73578ee68c6e5fa99d87812d937dea69a05e873615459b7db69965bb1678dc6f5d2be8e460a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\ta5hKOsprhK74w.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\ta5hKOsprhK74w.tlb

Filesize
3KB

MD5
671b9e077657df17db9f3ed2da6bae37

SHA1
bfed6f97de94dc0b4377543c395a5a5453e3f699

SHA256
6ce2d1fb8f5d7bf1a4d4dfa06525484c538e18f5cff12c6b1cf68208313cb68c

SHA512
39973c90739c4c0dcdc70e70673a8dcfb7e9795daf8ad37a8264eb1206bd437aacbbf5c2ed8b3645fac317a6cc98be5413b738c5fe02f3f18272a4349c41676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\ta5hKOsprhK74w.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
\Program Files (x86)\GouSavee\ta5hKOsprhK74w.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
\Program Files (x86)\GouSavee\ta5hKOsprhK74w.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7D2C.tmp\cQP2y1zbgFbROe4.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
memory/1348-78-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1360-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download